The topic of how to best secure software supply chains is in the spotlight at this year’s RSA Conference. Many organizations will be sharing their expertise and solutions on how to best defend against the variety of threats that software development and release processes face.
As highlighted in the new ReversingLabs Software Supply Chain Risk Survey, traditional application security testing technologies used to protect software applications are not meeting the challenge of software supply chain security — and companies are retooling.
ReversingLabs Field CISO Matt Rose wrote recently about what app sec teams need to know about the state of Software Composition Analysis (SCA) tools — and why the complexity of modern software development and related threats demand going beyond with a comprehensive software supply chain security approach.
In his talk at RSA Conference this week, The Monsters in Your Software Supply Chain That SCA Can’t Find, Rose will explain why SCA is a good first step, but modern app sec tooling is required to match today's software supply chain risk.
Here are key highlights of Rose’s talk.
[ See special report: The Evolution of App Sec | Get eBook: Why Traditional App Sec Testing Fails on Supply Chain Security ]
Development is changing faster than its security tooling
Software development isn’t the same as it was a decade ago. Today, the way that developers build and release software is much more complicated and expedited. Additionally, more and more organizations, who traditionally weren’t considered “software companies,” are now dabbling in the production of software packages in order to support their business. It’s easier than ever before to access cloud-based platforms and tools to build software, making open source and third-party code key components in today’s software packages.
While these improvements in development speeds and capabilities have proven to be innovative for the software industry, Rose warns that these changes have also brought immense risk to organizations today. Because of the various components that now commonly make up software products, as well as how interconnected and reliant organizations are on third-parties to have functioning software, software supply chains have become not only more complicated, but also highly targeted.
Traditional app sec technologies, such as Static Application Security Testing and Dynamic Application Security Testing (SAST/DAST), have been used by software teams for decades to spot widely-known threats, such as software vulnerabilities. However, software supply chain security has become much more than just vulnerability tracking and patching. And as a result, organizations who are rely on these technologies fall behind in the effort to address today's software supply chain threats.
Even SCA, which has only recently been confirmed by Forrester as an “established market,” doesn’t cover the entirety of threats posed to software supply chains. SCA tools are meant to scan an application in order to generate an inventory of all of its open source and third-party components. Functioning as a type of software bill of materials (SBOM), SCA is essential for providing transparency into the software development lifecycle (SDLC). However, Rose explains in his talk why SCA misses threats such as malware insertion and secrets leaks, making it an insufficient tool on its own. (See related ReversingGlass episode.)
[ See Secrets Exposed special report: An Essential Guide to Securing Secrets in Software ]
Today’s threats call for a modern supply chain security solution
With the sheer number of software supply chain attacks happening in 2023, it is no longer acceptable for software development teams to use tooling that doesn't provide full coverage of every monster that can creep up in a supply chain.
As Rose points out in his briefing, the biggest software supply chain attacks in recent years did not stem from software vulnerabilities alone, but from a variety of threats. For instance, he mentions that the infamous SunBurst compromise on SolarWinds’ Orion software was specifically targeting the product’s release, rather than an exploited vulnerability.
In the more recent example of a supply chain attack targeting CircleCI, Rose explains that attackers in this incident targeted DevOps tooling to cause significant damage. Most worrisome is the fact that in both the SunBurst and CircleCI attacks, the customers of both providers were negatively impacted — and there were many. From major financial institutions to government offices, software supply chain attacks have successfully targeted many critical organizations via the software pipeline.
Rose will also discuss how the federal government is finally catching on to software supply chain security, making it even more worthwhile for software development organizations to act. In its most recent policy move, the White House released the National Cybersecurity Strategy, which has a section dedicated to the protection of software supply chains.
[ Learn about the Cyber Supply Chain Risk Management (C-SCRM) office — and all orders and federal guidance on the software supply chain — in our special report ]
In it, the federal government makes it clear that those who make and release software products are responsible for ensuring their security from supply chain attacks. This immense policy shift, which moves liability away from the end consumer, is a result of major attacks like CircleCI and SolarWinds. These consequential incidents, along with the federal government’s new positioning, are setting the stage for a new era in software supply chain security.
Watch Rose's presentation on SCA and more on Tuesday, April 25 at 12:10pm local time, located in the Briefing Center, South Expo Hall (Moscone), S-2100.
Join ReversingLabs @ RSAC 2023 at Booth 5428.
Article Link: What traditional app sec tools miss: The monsters in your software supply chain